Malware Analysis Report

2025-05-05 23:43

Sample ID 230208-zc3r2sfh66
Target Malware.zip
SHA256 e660768142d773f0116a2f6409af74339bb69b9bba780c3dd342ef70b1920c65
Tags
qakbot bb14 1675848844 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e660768142d773f0116a2f6409af74339bb69b9bba780c3dd342ef70b1920c65

Threat Level: Known bad

The file Malware.zip was found to be: Known bad.

Malicious Activity Summary

qakbot bb14 1675848844 banker stealer trojan

Qakbot/Qbot

Program crash

Discovers systems in the same network

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-08 20:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-08 20:35

Reported

2023-02-08 20:45

Platform

win10-20220812-en

Max time kernel

599s

Max time network

593s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\netstat.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\netstat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1776 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4372 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4372 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4372 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4728 wrote to memory of 1440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4728 wrote to memory of 1440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4728 wrote to memory of 1440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4728 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4728 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4728 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4728 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4728 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4728 wrote to memory of 3404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4728 wrote to memory of 3404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4728 wrote to memory of 3404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4728 wrote to memory of 3404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4728 wrote to memory of 3404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 3404 wrote to memory of 4944 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 3404 wrote to memory of 4944 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 3404 wrote to memory of 4944 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 3404 wrote to memory of 4400 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4400 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4400 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4384 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\arp.exe
PID 3404 wrote to memory of 4384 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\arp.exe
PID 3404 wrote to memory of 4384 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\arp.exe
PID 3404 wrote to memory of 1764 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3404 wrote to memory of 1764 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3404 wrote to memory of 1764 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3404 wrote to memory of 1468 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\nslookup.exe
PID 3404 wrote to memory of 1468 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\nslookup.exe
PID 3404 wrote to memory of 1468 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\nslookup.exe
PID 3404 wrote to memory of 2272 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 3404 wrote to memory of 2272 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 3404 wrote to memory of 2272 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 3056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 3056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 3056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3404 wrote to memory of 3888 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\route.exe
PID 3404 wrote to memory of 3888 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\route.exe
PID 3404 wrote to memory of 3888 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\route.exe
PID 3404 wrote to memory of 2128 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\netstat.exe
PID 3404 wrote to memory of 2128 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\netstat.exe
PID 3404 wrote to memory of 2128 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\netstat.exe
PID 3404 wrote to memory of 4160 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 3404 wrote to memory of 4160 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 3404 wrote to memory of 4160 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 4160 wrote to memory of 2952 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4160 wrote to memory of 2952 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4160 wrote to memory of 2952 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3404 wrote to memory of 4860 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\whoami.exe
PID 3404 wrote to memory of 4860 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\whoami.exe
PID 3404 wrote to memory of 4860 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\whoami.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe putty.jpg,Wind

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe putty.jpg,Wind

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\msra.exe

C:\Windows\SysWOW64\msra.exe

C:\Windows\SysWOW64\net.exe

net view

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\nslookup.exe

nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP

C:\Windows\SysWOW64\net.exe

net share

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 share

C:\Windows\SysWOW64\route.exe

route print

C:\Windows\SysWOW64\netstat.exe

netstat -nao

C:\Windows\SysWOW64\net.exe

net localgroup

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\SysWOW64\whoami.exe

whoami /all

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
GB 51.105.71.137:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 yahoo.com udp
US 74.6.143.25:443 yahoo.com tcp
US 8.8.8.8:53 www.yahoo.com udp
IE 87.248.100.216:443 www.yahoo.com tcp
IE 87.248.100.216:443 www.yahoo.com tcp
US 50.20.171.2:443 50.20.171.2 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 _ldap._tcp.dc._msdcs.WORKGROUP udp
US 8.8.8.8:53 _ldap._tcp.dc._msdcs.WORKGROUP udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
SE 23.52.27.27:80 evcs-ocsp.ws.symantec.com tcp
US 50.20.171.2:443 50.20.171.2 tcp
US 50.20.171.2:443 50.20.171.2 tcp
US 8.8.8.8:53 oracle.com udp
US 138.1.33.162:443 oracle.com tcp
US 8.8.8.8:53 www.oracle.com udp
NL 23.206.84.89:443 www.oracle.com tcp
US 50.20.171.2:443 50.20.171.2 tcp

Files

memory/4372-116-0x0000000000000000-mapping.dmp

memory/4728-117-0x0000000000000000-mapping.dmp

memory/4728-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-164-0x0000000010000000-0x0000000010023000-memory.dmp

memory/4728-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-175-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4728-177-0x0000000002F90000-0x0000000002F93000-memory.dmp

memory/1984-178-0x0000000000000000-mapping.dmp

memory/1984-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/1984-180-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/1984-181-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/1984-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/1984-183-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/3404-197-0x0000000000000000-mapping.dmp

memory/3404-254-0x0000000000370000-0x0000000000393000-memory.dmp

memory/3404-255-0x0000000000370000-0x0000000000393000-memory.dmp

memory/4944-286-0x0000000000000000-mapping.dmp

memory/4400-309-0x0000000000000000-mapping.dmp

memory/4384-315-0x0000000000000000-mapping.dmp

memory/1764-333-0x0000000000000000-mapping.dmp

memory/1468-351-0x0000000000000000-mapping.dmp

memory/2272-382-0x0000000000000000-mapping.dmp

memory/3056-402-0x0000000000000000-mapping.dmp

memory/3888-422-0x0000000000000000-mapping.dmp

memory/2128-438-0x0000000000000000-mapping.dmp

memory/4160-458-0x0000000000000000-mapping.dmp

memory/2952-478-0x0000000000000000-mapping.dmp

memory/4860-499-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-08 20:35

Reported

2023-02-08 20:45

Platform

win7-20220812-en

Max time kernel

600s

Max time network

602s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\netstat.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\netstat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1632 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1632 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1648 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 956 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 956 wrote to memory of 1008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 956 wrote to memory of 1008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 956 wrote to memory of 1008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 956 wrote to memory of 1008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 956 wrote to memory of 1008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 956 wrote to memory of 1008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 1008 wrote to memory of 1716 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1008 wrote to memory of 1716 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1008 wrote to memory of 1716 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1008 wrote to memory of 1716 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1008 wrote to memory of 1580 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 1580 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 1580 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 1580 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 832 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\arp.exe
PID 1008 wrote to memory of 832 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\arp.exe
PID 1008 wrote to memory of 832 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\arp.exe
PID 1008 wrote to memory of 832 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\arp.exe
PID 1008 wrote to memory of 1760 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1008 wrote to memory of 1760 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1008 wrote to memory of 1760 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1008 wrote to memory of 1760 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1008 wrote to memory of 1932 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\nslookup.exe
PID 1008 wrote to memory of 1932 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\nslookup.exe
PID 1008 wrote to memory of 1932 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\nslookup.exe
PID 1008 wrote to memory of 1932 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\nslookup.exe
PID 1008 wrote to memory of 1500 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1008 wrote to memory of 1500 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1008 wrote to memory of 1500 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1008 wrote to memory of 1500 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1500 wrote to memory of 1740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1500 wrote to memory of 1740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1500 wrote to memory of 1740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1500 wrote to memory of 1740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1008 wrote to memory of 388 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\route.exe
PID 1008 wrote to memory of 388 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\route.exe
PID 1008 wrote to memory of 388 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\route.exe
PID 1008 wrote to memory of 388 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\route.exe
PID 1008 wrote to memory of 1944 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\netstat.exe
PID 1008 wrote to memory of 1944 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\netstat.exe
PID 1008 wrote to memory of 1944 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\netstat.exe
PID 1008 wrote to memory of 1944 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\netstat.exe
PID 1008 wrote to memory of 1208 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe
PID 1008 wrote to memory of 1208 N/A C:\Windows\SysWOW64\msra.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe putty.jpg,Wind

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe putty.jpg,Wind

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\msra.exe

C:\Windows\SysWOW64\msra.exe

C:\Windows\SysWOW64\net.exe

net view

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\nslookup.exe

nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP

C:\Windows\SysWOW64\net.exe

net share

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 share

C:\Windows\SysWOW64\route.exe

route print

C:\Windows\SysWOW64\netstat.exe

netstat -nao

C:\Windows\SysWOW64\net.exe

net localgroup

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\SysWOW64\whoami.exe

whoami /all

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:443 google.com tcp
SA 2.88.198.90:995 2.88.198.90 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 _ldap._tcp.dc._msdcs.WORKGROUP udp
US 8.8.8.8:53 _ldap._tcp.dc._msdcs.WORKGROUP udp
US 8.8.8.8:53 crl.microsoft.com udp
NL 23.72.252.170:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 173.223.113.131:80 www.microsoft.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
SA 2.88.198.90:995 2.88.198.90 tcp
SA 2.88.198.90:995 2.88.198.90 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 yahoo.com udp
US 74.6.143.25:443 yahoo.com tcp
US 8.8.8.8:53 www.yahoo.com udp
IE 87.248.100.216:443 www.yahoo.com tcp
SA 2.88.198.90:995 2.88.198.90 tcp

Files

memory/1648-54-0x0000000000000000-mapping.dmp

memory/956-55-0x0000000000000000-mapping.dmp

memory/956-56-0x0000000076091000-0x0000000076093000-memory.dmp

memory/956-57-0x0000000010000000-0x0000000010023000-memory.dmp

memory/956-62-0x00000000000B0000-0x00000000000B3000-memory.dmp

memory/956-63-0x00000000000B0000-0x00000000000B3000-memory.dmp

memory/1720-64-0x0000000000000000-mapping.dmp

memory/1008-66-0x0000000000000000-mapping.dmp

memory/1008-68-0x0000000000080000-0x00000000000A3000-memory.dmp

memory/1008-69-0x0000000000080000-0x00000000000A3000-memory.dmp

memory/1716-70-0x0000000000000000-mapping.dmp

memory/1580-71-0x0000000000000000-mapping.dmp

memory/832-72-0x0000000000000000-mapping.dmp

memory/1760-73-0x0000000000000000-mapping.dmp

memory/1932-75-0x0000000000000000-mapping.dmp

memory/1500-76-0x0000000000000000-mapping.dmp

memory/1740-77-0x0000000000000000-mapping.dmp

memory/388-78-0x0000000000000000-mapping.dmp

memory/1944-79-0x0000000000000000-mapping.dmp

memory/1208-80-0x0000000000000000-mapping.dmp

memory/2008-81-0x0000000000000000-mapping.dmp

memory/712-82-0x0000000000000000-mapping.dmp

memory/932-83-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-02-08 20:35

Reported

2023-02-08 20:45

Platform

win10-20220812-en

Max time kernel

375s

Max time network

437s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 636

Network

Country Destination Domain Proto
US 52.168.112.66:443 tcp
US 93.184.221.240:80 tcp

Files

memory/2392-120-0x0000000000000000-mapping.dmp

memory/2392-121-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-122-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-123-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-124-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-125-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-126-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-127-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-128-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-129-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-130-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-131-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-132-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-133-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-134-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-135-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-136-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-137-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-138-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-139-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-140-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-141-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-142-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-143-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-144-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-145-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-147-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-146-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-148-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-149-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-150-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-151-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-152-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-153-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-154-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-155-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-156-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-157-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-158-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-159-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-160-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-161-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-162-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-163-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-164-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2392-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-02-08 20:35

Reported

2023-02-08 20:45

Platform

win7-20221111-en

Max time kernel

391s

Max time network

397s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 228

Network

N/A

Files

memory/1188-54-0x0000000000000000-mapping.dmp

memory/1188-55-0x00000000763D1000-0x00000000763D3000-memory.dmp

memory/1600-56-0x0000000000000000-mapping.dmp